We are using the accept customer hosted form solution right now and we are in a situation where someone is using our form to test credit card numbers to see if they are valid. They are inputting a lot of cards so it seems likely a script is being used and we are getting charged for the declines and have the possibility of getting shut down.
We have the ability to use the fraud dection suite, but the problem is its all based on IP address and we do not know how to pass the IP address to the hosted form. I've looked through the documentation, but was not successful. Is there a way to pass in an IP address? If not is there any suggestion on how we can prevent a user from entering a mass amount of credit card numbers in the form? We put in a timeout for the form so it only stays open for a minute, but you can imagine that is not ideal.
I will let someone else respond on the customerIP and Accept Hosted part of your question.
But have you tried using one of the transaction velocity filters -- daily or hourly? These will let you hold for review or decline all transactions after a certain number of transactions has been exceeded, regardless of which customerIP they originate from.
You can login to account.authorize.net, then click on fraud detection suite, and find these two filters under card testing settings.
For general protection, we also recommend activating the Suspicious Transaction Activity filter and setting it to hold for review.
Read more here: www.authorize.net/our-features/advanced-fraud-detection/
From what I am told, those filters were all turned on, but the problem they ran into was once that one person hit the limit of declines, ALL further transactions were blocked for everyone. They also said they turned on the suspicious transaction activity and it ended up flagging a bunch of legitimate transactions.
We are going the IP address route because hopefully that won't cause the fraud detection to shut everyone out.
Since I have no control what happens in the hosted form, I have no idea what they are doing in there. Im trying to find a way to pass in the IP address, but so far no luck.
I appreciate the suggestion though. In theory it sounds like a solution, but Im told its making things worse for us.